Microsoft admits unauthorized access to Exchange Online, blames Chinese gang

Storm-0558 had access to customer accounts and mail – maybe even for senior US officials

US Commerce Secretary Gina Raimondo and other State and Commerce Department officials were reportedly among the victims of a China-based group's attack on Microsoft's hosted email services.

The widespread reports cite "unnamed officials" as their source and note that the US State Department denies that any classified systems were breached.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory detailing how a Federal Civilian Executive Branch (FCEB) agency was tipped off when it observed MailItemsAccessed events with an unexpected ClientAppID and AppID in Microsoft 365 Audit Logs – as the AppId did not normally access mailbox items in that manner.

The FCEB agency reported the activity to Microsoft, which confirmed threat actors accessed customer email accounts through Outlook Web Access in Exchange Online (OWA) and exfiltrated unclassified data. Microsoft said it was made aware of the hack on June 16, but had kept it under wraps while "working with the impacted customers and notifying them prior to going public with further details."

Redmond said the threat actor had operated since May 15, when it gained access to email data from around 25 organizations and other associated consumer accounts. Entry was forced by forging email authentication tokens with an acquired Microsoft accounts (MSA) consumer signing key.

Microsoft, which reported the event on Tuesday, attributed the attacks to a China-based threat actor it tracks as Storm-0558.

"We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," the software titan wrote.

US Department of State spokesperson Matthew Miller said [VIDEO] on Wednesday the department "noted the attribution Microsoft has made" – but that the agency would not make a public attribution at this time.

CISA said Microsoft addressed the issue by blocking tokens issued with the acquired key and changing the key. Microsoft stated it has completed mitigation of this attack for all customers, including implementing automated detections for known indicators of compromise. It also asserted there is no evidence of further illicit access.

Secretary Raimondo met with her Chinese counterpart, Wang Wentau, ten days following the May 15 breach to discuss strained relations.

China has an obvious interest in reading any thoughts she shared in email about that meeting.

On Wednesday, China's Foreign Ministry spokesperson Wang Wenbin used the agency's regular press conference to point a finger back at the US – calling it "the world's biggest hacking empire and global cyber thief." ®

More about


Send us news

Other stories you might like